Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:72103
Return-Path: <padraic.brady@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 6862 invoked from network); 3 Feb 2014 19:33:59 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 3 Feb 2014 19:33:59 -0000
Authentication-Results: pb1.pair.com header.from=padraic.brady@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=padraic.brady@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.128.180 as permitted sender)
X-PHP-List-Original-Sender: padraic.brady@gmail.com
X-Host-Fingerprint: 209.85.128.180 mail-ve0-f180.google.com  
Received: from [209.85.128.180] ([209.85.128.180:64602] helo=mail-ve0-f180.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 83/9C-35654-52FEFE25 for <internals@lists.php.net>; Mon, 03 Feb 2014 14:33:58 -0500
Received: by mail-ve0-f180.google.com with SMTP id db12so5123770veb.25
        for <internals@lists.php.net>; Mon, 03 Feb 2014 11:33:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type:content-transfer-encoding;
        bh=a8pJtAWyT19xa4y1aLhdyQovuhjl5dwxfiaXc+t3tYk=;
        b=Vdn8D8Y0eOfstddPOEOo6WmA8eZ2UdOCKQeeV5xJSSSNcjGObSDIlQ8Mak4MFetida
         T3Kf6xq6TOp5sFkHknvYcTj7takeCIgjtm4W7uGT1ykSyCDgtvr6K6w/55QXGc3HE+a9
         fjQr/EstUULf0NCFLh32QVTDXr98UiiFM/D7KBmzVcbkUakKv+fhzdROZHLrDf8VsRx4
         fm8o3iLLN7g6/XNnW+LHpLSLDoOZ+aLwRCg8dhx41difZoTijTjCiIiMohAiTStMpNyL
         5nBredd4k7WkoJvczdTTNEo3qPpB1yw5dXXJwQNOFxIQdLjnaEVLyV3bZlzFUJJtJXzE
         icPQ==
MIME-Version: 1.0
X-Received: by 10.236.35.71 with SMTP id t47mr2762537yha.72.1391456034487;
 Mon, 03 Feb 2014 11:33:54 -0800 (PST)
Received: by 10.170.215.130 with HTTP; Mon, 3 Feb 2014 11:33:54 -0800 (PST)
In-Reply-To: <1861338437.20140203135938@cypressintegrated.com>
References: <CAH8MpnnmKt2byQU8DcWetnK6W7GB9HuF3srea-ECwQ4RRe1SWQ@mail.gmail.com>
	<CAEZPtU7Euu1mQiJ-2n8r9hQjt9ShqRaiQAouP=FSFeV9OVdjwA@mail.gmail.com>
	<CAH8Mpnnu0BqRmb1PmGjQLTWYA0mtGkJdniDbGbD1Nn+Fn30JZw@mail.gmail.com>
	<1861338437.20140203135938@cypressintegrated.com>
Date: Mon, 3 Feb 2014 19:33:54 +0000
Message-ID: <CALwr1Gm3oBbaGzdSNpnk2MMOXF1OsFP7J3gTjTQJtDwTRDompA@mail.gmail.com>
To: Sanford Whiteman <swhitemanlistens-software@cypressintegrated.com>
Cc: Daniel Lowrey <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Subject: Re: [PHP-DEV] Windows Peer Verification
From: padraic.brady@gmail.com (=?UTF-8?Q?P=C3=A1draic_Brady?=)

Hi,

On 3 February 2014 18:59, Sanford Whiteman
<swhitemanlistens-software@cypressintegrated.com> wrote:
>> Personally, I say no. If people are going to programmatically use encryp=
ted
>> stream transfers they need to at the very least understand the basics of
>> the CA system. We shouldn't subsidize insecurity, and it's trivially eas=
y
>> to procure a CA file.
>
> That's a double standard. You're saying _Windows_ users need to "at
> the very least understand" while other users don't need to understand
> it at all, because It Just Works.
>
> And anyway I'm not in agreement that if people are going to use
> outbound encryption -- if they are going to simply call a PHP function
> -- they need to understand how to update their local CA bundle. I
> would think that, the majority of the time, users are either [a]
> loading a provided "PHP binding" (.PHP file) for a public API or [b]
> copying-and-pasting boilerplate code from API documentation and, just
> speaking realistically, you should not expect them to know what's
> going on under the hood. You can have a relatively good understanding
> of HTTP (without the S) and when your service says "now you must use
> encryption" there shouldn't be a big learning curve on the user side.

I agree absolutely. For better or worse, we can't expect programmers
to become security experts just because we wish it. I've already noted
a problem with programmers not adopting a simple year-old
disable_compression SSL context option in the wild, and that's in a
population of open source code that has countless experienced
programmers. There may be a minimum bar, but I think people
overestimate how many programmers can jump over it. In that context, a
bit of smart subsidising harms nobody and helps many. One could argue
that setting CN_match on a SSL context is trivial, but then this is
something I saw less than 4 months ago:

"Verify host name for SSL requests =E2=80=93 Requests is now the first and
only PHP standalone HTTP library to fully verify SSL hostnames even
with socket connections. This includes both SNI support and common
name checking."

Subsidising the trivial is not a bad thing ;).

Paddy

--
P=C3=A1draic Brady

http://blog.astrumfutura.com
http://www.survivethedeepend.com
Zend Framework Community Review Team
Zend Framework PHP-FIG Representative